[NT] Sambar Webserver Serverside Fileparse Bypass

2002-04-17T00:00:00
ID SECURITYVULNS:DOC:2794
Type securityvulns
Reporter Securityvulns
Modified 2002-04-17T00:00:00

Description

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com - - promotion

When was the last time you checked your server's security? How about a monthly report? http://www.AutomatedScanning.com - Know that you're safe.


Sambar Webserver Serverside Fileparse Bypass

SUMMARY

A flaw in the serverside URL parsing could allow a malicious user to bypass serverside fileparsing and display the source code of scripts. The same flaw could allow a malicious user to crash the web service.

DETAILS

Vulnerable systems: - Sambar Webserver version 5.1p on Windows 2000 - Other versions were not tested.

Immune systems: - Sambar Webserver version 5.2b on Windows 2000

It is possible to bypass the serverside parsing of scripts, such as .pl, jsp, .asp, .stm and download the source code. The bypassing also opens up for a request to certain DOS-devices that the server would then attempt to access. These resources used in such requests are not freed properly and as a result, the web server will eventually run out of memory and the operating system will kill the web service.

To bypass the serverside parsing, an attacker would have to access the resource with a suffix of <space><null>. There are many ways to achieve this in e.g. Internet Explorer, and an example of source code exposure could be:

http://server/cgi-bin/environ.pl+%00

Which would return the following (perl sourcecode):

read(STDIN, $CONTENT, $ENV{'CONTENT_LENGTH'}); print< GATEWAY_INTERFACE: $ENV{'GATEWAY_INTERFACE'} PATH_INFO: $ENV{'PATH_INFO'} PATH_TRANSLATED: $ENV{'PATH_TRANSLATED'} QUERY_STRING: $ENV{'QUERY_STRING'} REMOTE_ADDR: $ENV{'REMOTE_ADDR'} REMOTE_HOST: $ENV{'REMOTE_HOST'} REMOTE_USER: $ENV{'REMOTE_USER'} REQUEST_METHOD: $ENV{'REQUEST_METHOD'} DOCUMENT_NAME: $ENV{'DOCUMENT_NAME'} DOCUMENT_URI: $ENV{'DOCUMENT_URI'} SCRIPT_NAME: $ENV{'SCRIPT_NAME'} SCRIPT_FILENAME: $ENV{'SCRIPT_FILENAME'} SERVER_NAME: $ENV{'SERVER_NAME'} SERVER_PORT: $ENV{'SERVER_PORT'} SERVER_PROTOCOL: $ENV{'SERVER_PROTOCOL'} SERVER_SOFTWARE: $ENV{'SERVER_SOFTWARE'} CONTENT_LENGTH: $ENV{'CONTENT_LENGTH'} CONTENT: $CONTENT END

Vendor response: The vendor was contacted 3rd of April, 2002. The vendor confirmed the bug on the same day, and notified us that a patch was being developed. On the 17th of April, the vendor released a new version that corrects the issues.

Corrective action: The vendor has released Version 5.2b, which is available here:
<http://sambar.dnsaloas.org/win32-preview.tar.gz> http://sambar.dnsaloas.org/win32-preview.tar.gz

ADDITIONAL INFORMATION

The information has been provided by <mailto:pgrundl@kpmg.dk> Peter GrЭndl.

========================================

This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.